Exercise 2: Simple Scan Detector

Input file: trace1.tcpdump

a) Write a event handler for 'connection_established' events that prints interesting stuff (IPs, ports, etc) for every established connection

b) count the number of established connections, and print at the end. Hint: need to use 'bro_done' event

c) count the number of established connections per remote originator and print the results. Hint: use a global table, and use the 'is_local_addr' function from site.bro

d) calculate ratio of established vs attempted connections per remote originator. Hint: To convert type 'count' to a 'double', multiply it by 1.0

e) calculate ratio of established vs attempted connections per originator, and print every 2 minutes. Hint: need a 'new_connection' event handler

f) generate an alarm (NOTICE) if success ratio is less than .2 and number of connection attempts > 10

g) same as (f), but alarm only once per originator

h) same as (f), but alarm only once per originator per 1 minute interval. Hint: use 'schedule' expression

Hints:

• Look at conn.bro for useful sample code
• Key events to use: bro_init(), bro_done(), new_connection(), connection_established()